LDAP Authentication

The CyberArk Vault transparently supports User Accounts and Groups of users whose details are stored externally in LDAP-compliant directories. In order to maintain the typically high level of security in the Vault, the security attributes of LDAP User Accounts and Groups are managed internally.

For information about configuring the Vault to manage users through LDAP, refer to Configure transparent user management using LDAP.


Users can authenticate to the Vault with LDAP authentication from Password Vault Web Access through any of the following directories:

MS Active-Directory – Windows 2008 (native/mixed mode), Windows 2012, Windows 2012 R2, Windows 2016
Sun One v5.2
IBM Tivoli Directory Server v6.0
Novell eDirectory v8.7.1
Oracle Internet Directory v10.1.4

This list may be updated frequently as additional directories are certified. Contact CyberArk Customer Support for information about additional directories that are not mentioned in the list above.

Configure LDAP authentication

Users whose details are stored in an LDAP-compliant directory can authenticate to the Vault directly from the PrivateArk Client or the PVWA. The Vault communicates with LDAP-compliant directory servers to obtain user identification and security information. The Vault automatically provisions Vault users based on the external user account and group membership and attributes.

Configure the Vault to recognize LDAP directories. For details, see Configure transparent user management using LDAP.

Configure the User Account

In the PrivateArk Client, configure the user account to authenticate with LDAP authentication.

Authenticate through the PVWA

Authenticate through the PrivateArk Client